Countermeasure method for a microcontroller based on a pipeline architecture

ABSTRACT

A countermeasure method for a microcontroller that executes sequences of instructions. The instructions are executed according to a pipeline method. At least one waiting time is randomly introduced between two consecutive instructions and/or within at least one instruction. The method is implemented by the electronics of the microcontroller rather than by software addition.

This disclosure is based upon French Application No. 00/04426, filed onApr. 6, 2000 and International Application No. PCT/FR01/00794, filedMar. 16, 2001, the contents of which are incorporated herein byreference.

BACKGROUND OF THE INVENTION

The present invention relates to a countermeasure method for amicrocontroller in which sequences of program instructions are executed.

The present invention applies in particular to protected electroniccomponents such as microcontrollers for chip cards, for example.

Microcontrollers are monolithic integrated circuits incorporating atleast one microprocessor, also referred to as a CPU, standing forCentral Processing Unit in English terminology These microcontrollersare true computers on a single silicon substrate, or integrated circuitchip.

Thus microcontroller chip cards constitute protected informationcarriers which have the same structure as a computer, that is to saythey make it possible to store data and also to process information. Inthis context, the role of the microcontroller is to authenticate thecard and its bearer, to encode and decode messages and to calculateelectronic signatures proving that a licit operation has indeed beenperformed.

FIG. 1 illustrates schematically the structure of a microcontroller fora chip card. Such a microcontroller, integrated on a chip, has amicroprocessor, or CPU, able to process the data and programs recordedon the chip. The microprocessor is associated with different types ofmemory by means of data buses. The operating programs and the algorithmsare generally stored in a ROM memory, whilst the data, secret or not,are stored in a programmable memory of the EEPROM type, for example. ARAM memory contains the working registers necessary for the variousinternal processing actions. An input/output component, composed of aconnector, for a chip card with contact, provides the dialogues with theoutside world.

The operations of the microcontroller are sequenced by a clock (CLK).The microcontroller also has a power supply Vcc and an earth GND.

There are essentially two families of microcontroller. The majority ofmicrocontrollers existing at the present time (approximately 90%) arebased on a CISC (from the English Complex Instructions Set Computer)architecture in which the instructions are read and executedsequentially by a large decoding engine. However, the current trend isto use, more and more, microcontrollers with RISC (from the EnglishReduced Instruction Set Computer) architecture in which the instructionsare read and executed in parallel. Such an architecture requires severalexpensive decoding engines in place on the integrated circuit chip, butit is also much more rapid in the execution of the sequences ofinstructions. In particular, RISC architectures using a so-called“pipeline” method make it possible to interleave several instructions bydividing them into substeps and executing steps of several instructionsin the same clock cycle. The particularities of the pipeline in RISCarchitecture will be enlarged on hereinafter.

The execution of programs by the microcontroller must therefore beprotected since all or some of the data being manipulated are secret.The protection can be provided by mathematical algorithms integratedinto the programs executed, and/or by so-called countermeasure methods.

A countermeasure method is a protection method which consists ofpreventing the data manipulated during the execution of the instructionsof a program being able to be interpreted outside the protectedcomponent. Such a leakage of information is possible through the verystructure of the microcontroller, which may suffer what are referred toas power attacks, or DPA, standing for Differential Power Attack inEnglish terminology.

FIG. 2 illustrates the principle of power attack by means of a graph ofthe current consumption I of the chip according to the number of clockbeats t.

When the microprocessor executes a program composed of a sequence ofinstructions (Ins1, Ins2, Ins3, . . . ), with an algorithm, whethersecret or not, it seeks the necessary data in memory, processes them andwrites the results in memory.

Conventionally, the execution of a sequence of instructions always takesplace in the same way, identical and determined, whatever thearchitecture (CISC or RISC) of the microcontroller used.

It then becomes possible to effect a power attack simply by reading thecurrent consumption of the microcontroller (from its power supply Vcc),which may allow information on the secret data being handled to showthrough. In order to obtain such information, it is necessary to performthe same sequence of instructions several times. It then becomespossible to correlate the current consumption with the data processedduring the execution of the same instruction. The current consumption ofthe microcontroller can thus become a veritable indicator of the databeing manipulated.

For example, an attacker can proceed in the following manner. If asecret data item of eight bytes k[i], with i from 1 to 8, is considered.An accumulator is used and a loop is effected for i from 1 to 8Acc=k[i]xor k[i+1]. At the end of the loop, Acc=xor(Σ(i=1 to 8)k[i]) isobtained. When the current consumption I is observed as a function oftime during this sequence (loop), a curve is obtained with the cyclictrend which is the reflection of what was executed in themicrocontroller, that is to say in the example cited eight identicalsignals are obtained for the eight operations of the loop. Nevertheless,if each element of the signals is compared, it is possible to extractdifferences, and thus information on the k[i] secrets. Observation isalso facilitated by the possibility of having the same loop executedseveral times. The current consumption of the card being the same forone and the same sequence of operations, it is possible to extract theinformation sought.

Consequently it becomes essential to eliminate the repetition in thecurrent consumption for the same sequence of instructions. This is theobjective of the countermeasure methods.

Such countermeasure methods already exist, in particular in the softwarefield, where programs containing random variants may be used. Suchprograms can have recourse to subprograms in a random fashion. Thus, forthe same task repeated several times, which conventionally would invokethe same sequence of instructions, different subprograms are invoked andgive rise to the execution of different sequences of instructions. Itbecomes impossible to correlate the current consumption and the databeing manipulated.

Such a software solution is however complex to implement. It isnecessary in fact to write the different subprograms, which is expensivein development time and in code size.

SUMMARY OF THE INVENTION

The object of the present invention is a countermeasure method whichresolves the drawbacks of the prior art. The invention proposes such acountermeasure method based on the execution of the sequences ofinstructions according to a so-called pipeline method in an electroniccomponent with RISC architecture, for example.

The invention introduces the principle of random and non-reproducibleexecution at each sequence of instructions at the level of theinstruction itself.

The invention more particularly relates to a countermeasure method for amicrocontroller able to execute sequences of instructions, the saidinstructions being executed according to a so-called pipeline method,characterised in that the method consists of randomly introducing atleast one waiting time between two consecutive instructions and/orwithin at least one instruction.

According to one characteristic, the instructions are broken down into aplurality of substeps.

According to one particularity, the substeps can consist of:

-   -   a step of acquiring the instruction,    -   a step of decoding the instruction,    -   a step of executing the instruction, and    -   a step of writing the result of the instruction.

According to one characteristic, the waiting time is introduced randomlybetween any two substeps of an instruction.

According to another characteristic, the instructions can bemacro-instructions corresponding to complex logic modules such assub-blocks of cryptographic algorithms.

According to another characteristic, the waiting time is introducedrandomly several times during the execution of the sequence ofinstructions.

According to one characteristic, the waiting time is introducedfollowing a software command preceding the sequence of instructions tobe protected.

According to one characteristic, the method is implemented through anon-software implantation which is the direct responsibility of theinstruction decoding electronics.

According to another characteristic, the introduction of the waitingtime can be regulated statically or dynamically, by means of anelectronic or software parameter, so as to adjust the variability of theexecution of one and the same sequence of instructions.

According to one implementation of the invention, the method isimplemented in an integrated circuit chip having a microcontroller withRISC architecture with pipeline.

The invention advantageously applies to any protected device of the chipcard type.

The invention has the advantage of proposing a mechanism implementeddirectly at the level of the microcontroller, on the integrated circuitchip. The complexity of the software solutions is thus avoided.

In addition, the countermeasure method according to the inventionguarantees the execution of any program, protected or not, on anelectronic component equipped with such a countermeasure mechanism.

It is in fact the component itself, rather than the sequence ofinstructions of the program, which ensures the random execution andtherefore the protection of the data being manipulated. Thisadvantageously makes it possible to have programs decorrelated from thecomponent, which can prove very useful in the context of certainapplications. The same component can thus be used with differentprograms without losing its level of protection.

BRIEF DESCRIPTION OF THE DRAWINGS

Other advantages and particularities of the invention will emerge duringthe following description given by way of illustrative andnon-limitative example with reference to the figures, in which:

FIG. 1, already described, illustrates schematically an integratedcircuit chip provided with a microcontroller,

FIG. 2, already described, is a graph illustrating the method of powerattack on a protected electronic component,

FIG. 3 is a diagram illustrating the functioning of a conventionalmicrocontroller with CISC architecture for a decoding of instructions,

FIG. 4 is a diagram illustrating the functioning of a conventionalmicrocontroller with RISC architecture for a decoding of instructions,

FIG. 5 is a diagram illustrating the functioning of a microcontrollerwith RISC architecture according to the present invention, for adecoding of instructions.

DETAILED DESCRIPTION

The countermeasure method according to the invention is based on theprinciple of the processing of instructions in pipeline generally usedin a microcontroller with RISC architecture.

Several points distinguish RISC architecture from CISC architecture.

Firstly, to each instruction there corresponds a single logic blockimplemented in the form of a specific and unique electronic submodule,so that the decoding and execution of an instruction can take place in asingle clock cycle, whilst CISC architecture uses a single electronicblock sequentially processing all the instructions.

Secondly, the data bus is differentiated from the instruction bus toallow the decoding of an instruction at each clock cycle independentlyof the data stored in memory and used by the other instructions. Thismakes it possible to go and seek data in memory simultaneously with thedecoding of the instructions which have to process them. In addition,all the instructions must have a size at least equal to that of theexternal data bus so that the decoding of the instructions is direct andentails no delay.

There are in general two models of microcontroller with RISCarchitecture,

-   -   the “Stanford” model, which uses chains of optimised        instructions, more commonly known as the pipeline technique,        making it possible to use a very powerful set of instructions;    -   the “Berkeley” model, which uses chains of instructions allowing        rapid invocations of subroutines and particularly adapted to        real-time applications.

The present invention applies more particularly to the pipelinetechnique proposed in the “Stanford” model. This is because theinvention proposes a countermeasure method which relies on this pipelinearchitecture.

Pipelines make it possible to interleave the execution of severalinstructions by dividing each instruction into several substeps andexecuting these substeps in parallel. Thus a pipeline stage is definedas the set of substeps executed simultaneously. Thus the number of clockcycles per instruction will be divided proportionally to the number ofpipeline stages.

It should be noted that, when a program, or more simply a series ofinstructions, is executed, the functioning of the pipeline may be brokenwhen instructions arise such as branch, jump, interrupt and otherexceptions to the linear execution of instructions.

FIGS. 3 and 4 illustrate respectively the conventional functioning of amicrocontroller with CISC architecture and RISC architecture withpipeline.

The instructions INSn can be simple instructions or macro-instructionscorresponding to complex logic modules, such as sub-blocks ofcryptographic algorithms, such as for example permutation, compressionor expansion constructions, non-basic mathematical functions, look-uptables, or others.

The instructions INSn are advantageously broken down into severalsubsteps. An example of breaking down into four substeps is given by wayof example and must not be considered to be restrictive.

The first step “F”, from the English acronym “FETCH”, makes it possibleto seek in memory the instruction to be decoded. It places thisinstruction, which is next transmitted to the following stage, on thebus.

The second step “D”, from the English acronym “DECODE”, decodes theinstruction, that is to say activates the submodule of themicrocontroller which is able to process this instruction.

The third step “E”, from the English acronym “EXECUTE”, executes theinstruction in the submodule of the microcontroller.

The last step “W”, from the English acronym “WRITE”, writes the resultof the instruction executed by the submodule of the microcontroller onthe bus. This result is then used in the remainder of the execution orreturned to memory.

It can be seen, from FIG. 3, that only two instructions have been ableto be completed in eight clock cycles by a microcontroller with CISCarchitecture.

Conversely, as illustrated in FIG. 4, for a pipeline with four substeps,six instructions have been able to be completed in only nine clockcycles. The total execution time is reduced because substeps of severalinstructions have been able to be executed simultaneously.

Such an architecture is however not immune from a power attack. This isbecause, if the same sequence of instructions is repeated several times,there will always be the same chaining of stages of the pipeline withthe same current consumption.

In order to resolve the problem generated by power attacks and toprevent reproducibility of the current consumption for the same sequenceof instructions executed several times, a waiting time, Break B, isintroduced randomly into the processing of the instructions. Thiswaiting time B can be introduced randomly at the start of an instructionand/or between any two substeps of one and the same instruction.

The random waiting time B can also be introduced several times ifnecessary during the execution of a sequence of instructions.

FIG. 5 illustrates the mechanism of the countermeasure method accordingto the invention.

The random waiting times B prevent any reproducibility of the currentconsumption by modifying, at each sequence of instructions, the pipelinestages without interfering with the execution of the instructions.

The method according to the invention is executed through a non-softwareimplementation, directly executed by the electronic module (hardware)for decoding instructions of the microcontroller.

In its functioning, the method can be adjustable, statically ordynamically, by electronic or software means, in order to obtain more orless variability in the repeated execution of the same sequence ofinstructions.

According to one possibility of implementing the method according to theinvention, the introduction of the waiting time B can be dependent on astart-up controlled in a software manner, for example just before theexecution of the sequence of instructions which it is wished to protect.In this way the speed of execution of a sequence of instructions whichdoes not require any particular protection is not compromised.

The method according to the invention thus ensures the random executionof a sequence of instructions, that is to say the non-reproducibility ofthis sequence from one execution to another, and this for the samefunctional result.

A compromise must simply be defined in order not to excessively extendthe execution time for the sequence of instructions and thus lose themain advantage of the pipeline.

1. A countermeasure method for a microcontroller that executes sequencesof instructions according to a pipeline method, wherein an instructioncomprises a plurality of substeps that are performed during respectiveclock cycles of said microcontroller, said method including the step ofrandomly introducing a wait time for a clock cycle between the clockcycles during which two successive substeps of an instruction areperformed.
 2. A countermeasure method according to claim 1, wherein theinstructions are macro-instructions corresponding to complex logicmodules.
 3. A countermeasure method according to claim 2, wherein saidcomplex logic modules comprise sub-blocks of cryptographic algorithms.4. A countermeasure method according to claim 1, wherein a wait time isintroduced randomly several times during the execution of the sequenceof instructions.
 5. A countermeasure method according to claim 4,wherein a wait time is introduced following a logic command preceding asequence of instructions to be protected.
 6. A countermeasure methodaccording to claim 1, wherein the introduction of the wait time iseffected through a non-software implementation executed by a module ofthe microcontroller that decodes the instructions.
 7. A countermeasuremethod according to claim 1, wherein the introduction of the wait timeis randomly determined by means of a parameter, so as to adjust thevariability of the execution of one and the same sequence ofinstructions.
 8. A method according to claim 1, wherein the introductionof the wait time is implemented in an integrated circuit chip having amicrocontroller with RISC architecture with pipeline processing.
 9. Aprotected device of the chip card type, including an electroniccomponent that implements a countermeasure method by randomlyintroducing at least one wait time for a clock cycle between clockcycles during which successive substeps of an instruction are performed.